I spent several hours trying to recover from a virus that renders the anti virus software unusable. The symptoms and recovery are detailed below:
1.) The current running Rtvscan.exe (Symantec Endpoint Protection) detects the virus entering the system.
2.) The detection and scan appears as it normally does for the virus (note 8 were eventually found)
3.) The scan dialogue begins but ends in error.
4.) When the Symantec GUI is brought up the status shows that Anti virus and Antispyware protection is off. Using the "Fix It" button renders no results.
5.) Clicking on Scan and choosing Full Scan does nothing.
6.) Going into Windows Services shows the Symantec Endpoint Protection service is stopped. Attempts to start give the "Access denied" error.
7.) Disconnected from the Internet to avoid infecting my home network. From another computer I downloaded and saved to a stick the following executables (AutoDetectPkg.exe,NPE.exe and Sep_SupportTool.exe) and transferred them to the infected computer.
8.) None of these tools recovered from the problem. The updater did not recognize that the product was installed. The cleaner did not recognize the problem with Rtvscan.exe.
9.) In safe mode signed on as local administrator I checked the security properties of Rtvscan.exe. I tried renaming the file and got an access denied message. I tried deleting the executable and the same thing occurred. From Properties/Security on the file all security has been removed and the existing security of "everyone" and it's attributes were grayed out. I added "Administrators" with full control to the executable. I was able to rename the file and renamed it back to its' original name.
10.) Once changed the service started and I was able to run a full scan from the Symantec GUI. A total of eight viruses were fond and removed. The product is running normally at this point.
A total of about six hours was spent trying to run Symantec standard recovery methods and research on the net to restore the product to a usable state. The problem is that without Rtvscan.exe in an operable state the product does not function. Once the virus was detected the Symantec web site does have documentation on the virus but there is nothing stated about the actual problem and how to recover from it. This is a obvious problem becasue without the real time scan operating the comupter is open to and infection from all attacks.